This month is another important month for Microsoft Patch Tuesday and subscribers of our Cyber Thursday blog, with 75 vulnerabilities reported, 8 of which are considered “Critical” (RCE or LPE) vulnerabilities.
We start with 3 Zero-days, including 2 that have active exploits underway. Do not delay getting your systems updated as several of these vulnerabilities are favorites of our Cyber Advisors penetration testers.
- CVE-2022-26925 - Windows LSA Spoofing Vulnerability
- To mitigate, we recommended Administrators to familiarize with PetitPotam NTLM Relay Advisory
- Threat actors can intercept legitimate authentication requests, elevate privileges, and impersonate a Domain Controller
- CVE-2022-22713 - Windows Hyper-V Denial of Service Vulnerability
- CVE-2022-29972 - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver [Azure Synapse and Azure Data Factory]
The other (8) 'Critical' vulnerabilities from Patch Tuesday:
- Azure SHIR
- Upcoming improvements to Azure Data Factory and Azure Synapse Pipeline infrastructure in response to CVE-2022-29972
- RDC
- Remote Desktop Client Remote Code Execution Vulnerability
- Self-hosted Integration Runtime
- Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver
- Windows Active Directory
- Active Directory Domain Services Elevation of Privilege Vulnerability
- Windows Kerberos
- Windows Kerberos Elevation of Privilege Vulnerability
- Windows Network File System
- Windows Network File System Remote Code Execution Vulnerability
- Windows NTFS
- Windows NTFS Information Disclosure Vulnerability
- Windows Point-to-Point Tunneling Protocol
- Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Finally, there are other notable vulnerabilities from other software, vendors, technologies that should not be ignored:
- F5 (BIG-IP)
- We recommend to apply updates as soon as possible
- Allows remote attackers to execute commands as 'root' without authentication
- Interesting note: exploitation for shell dropping has been observed; if one misconfigures the appliance to 'allow default' on SelfIP then it is also vulnerable on non-management ports
- We recommend that you apply this fix: https://support.f5.com/csp/article/K23605346
- Cisco
- Three flaws effecting Enterprise NFVIS Software
- SAP
- Remote Code Executions
- Adobe
- Third party patching, multiple advisories
- SonicWALL
- Secure Mobile Access (SMA) 1000 vulnerability
Our Recommendations:
- Test and deploy patches to Domain Controllers to mitigate the new attack vector (NTLM Relay zero-day) related to CVE-2022-26925
- Test and deploy Microsoft patches and fixes
- Integrate Vulnerability Scanning and Vulnerability Management on a quarterly basis
- These threats are mitigated with the implementation of foundational security controls (such as monitoring/logging, MFA, identity access controls, etc)
- It is imperative to understand your critical assets to gain an understanding of risk and exposure as new vulnerabilities are constantly appearing
- Threat actors are gaining speed on exploiting these flaws
- Security measures and controls help gain visibility of network activity, and in the event a compromise occurs, this insight supplies the means to reduce the time of exposure while assisting in removal of persistent threats from environments
- It is not a matter of if, it is a matter of when, therefore organizations need to be prepared to respond to a threat
References:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tuesday-fixes-3-zero-days-75-flaws/
- https://thehackernews.com/2022/05/microsoft-releases-fix-for-new-zero-day.html
- https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/
- https://thehackernews.com/2022/05/cisco-issues-patches-for-3-new-flaws.html
- https://twitter.com/swc162018
- https://www.sonicwall.com/support/knowledge-base/security-notice-sma-1000-series-unauthenticated-access-control-bypass/220510172939820/